IRDF Reference List v0.1 (Draft for mass peer review)

From: Matthew.Brownat_private
Date: Wed Mar 20 2002 - 10:20:47 PST

  • Next message: Fergus Cameron: "Re: Encase and data recovery" 

    Folks

        Here is the next draft for your review. Comments and suggestions 
are welcome. Be nice.  Please send your additions, changes, deletions, and 
suggestions directly to me to cut down on list traffic. I will post v1.0 
when it is ready and it will be, by no means, finished or set in stone.

        There are still some pending emails I have to do some research on 
before adding items to the list.

        Please note that security scanners are out of scope for this list. 
I realize that they can offer clues to open security holes, but that would 
leave the door open for a massive list of general security tools. All 
items need to be associated with or assist in Incident Response / Digital 
Forensics (IRDF).

Thanks,
Matthew Brown, CISSP




Network tools:
        dig
        hping
        ethereal (www.eathereal.com)
        iptraf
        netcat (nc)
        nmap (www.nmap.org)
        ntop (www.ntop.org)
        ping
        SilentRunner (www.raytheon.com/c3i/c3iproducts/c3i021/c3i021.htm)
        snoop
        tcpdump (www.tcpdump.org)
        tcpwrappers
        traceroute
        trafshow 
(www.tuxfinder.com/thematic/tree.php3?category=8&offset=2)
        Whisker
        whois

Traps/Sandboxes
        LaBrea
        Recourse ManTrap

Surveillance
        Desktop Surveillance (www.toolsthatwork.com/ttw-forensic.shtml)
        netcat (nc)
        filemon (www.sysinternals.com)
        regmon (www.sysinternals.com)
        SilentRunner (www.raytheon.com/c3i/c3iproducts/c3i021/c3i021.htm)

IDS (To Detect):  (These are the tools that create evidence we end up 
examining during incidents afterall)
        Addamark Technologies' Log Management System (LMS) 
(www.addamark.com/product)
        BlackIce
        Cisco Network Based Sensor (Formerly NetRanger)
        Dragon
        Entercept / Cisco IDS Host Sensor
        Intruder Alert
        Internet Security and Accelerator (ISA Server) Microsoft 
IDS/Firewall/VPN/ContentFilter/Cache/Authentication
        Niksun's NetDetector
        Netprowler
        Network Flight Recorder
        RealSecure
        Seeing Stone (www.wetstonetech.com) (Multi-vendor sensor console)
        SilentRunner (www.raytheon.com/c3i/c3iproducts/c3i021/c3i021.htm)
        Smart Watch (www.wetstonetech.com)
        snort (www.snort.org)
        Tripwire
        VigilEnt Security Agents
        ZoneAlarm

Evidence Capturing - Software:
        EnCase (www.GuidanceSoftware.com)
        dd (Comes with *nix) Sometimes used with Netcat (nc) for capturing 
over the network.
        pdd (dd for Palm OS)
        SafeBack
        SilentRunner (www.raytheon.com/c3i/c3iproducts/c3i021/c3i021.htm)
        SnapBack
        Byte Back (www.toolsthatwork.com/ttw-forensic.shtml)
        WinHex

Evidence Capturing - Hardware:
        ImageMaster Solo2 - Hardware duplicator
        Solitare
        F.R.E.D. and his brothers - Hardware
        Forensic Steel Towers
        Forensic AirLite (www.forensic-computers.com)

Evidence Examination:
        AccessData's Forensic Toolkit
        Autopsy Forensics Browser (Used with TCT output)
        Coroner's Toolkit (TCT)
        Detective (www.toolsthatwork.com/ttw-forensic.shtml)
        EnCase (www.guidancesoftware.com)
        ForensiX (www.all.net) (Law Enforecement only)
        NTI (www.forensics-intl.com)
        Paraben's PDA Seizure
        SilentRunner (www.raytheon.com/c3i/c3iproducts/c3i021/c3i021.htm)
        WinHex

Data Recovery:
        OnTrack's Easy Recovery
        Norton Utilities
        NTI (www.forensics-intl.com)
        Coroner's Toolkit (TCT)
        WinHex

Bootable CD-ROMs:
        Biatchux (http://biatchux.dmzs.com)
        PLAC/WhiteGlove (www.all.net)

Certifications that certify in the areas of Digital Forensics, Incident 
Response, or Digital Investigations:
        High Tech Crime Network (HTCN) (www.htcn.org)
        Global Information Assurance Certification (www.giac.org)
        HTCN - High Tech Crime Network
        IACIS - International Association of Computer Investigative 
Specialists (www.cops.org)

Training - Organizations that train in the areas of Digital Forensics, 
Incident Response, or Digital Investigations:
        CERT (www.cert.org)
        Foundstone - (www.foundstone.com/services/ir-forensics.html)
        Guidance Software (EnCase) (www.guidancesoftware.com)
        NTI (www.forensics-intl.com)
        SANS & SANSfire (www.sans.org)
        @stake (www.l0pht.com/services/education/courses.html)
        University of Texas at Austin (http://learning.bus.utexas.edu/tec/incident_response.htm)
Check out http://www.fletc.gov/,
http://www.compuforensics.com/training.htm and
http://www.krollworldwide.com/training/courses.cfm

Professional Organizations:
        HTCIA - High Tech Crime Investiative Association (www.htcia.org)
        HTCN - High Tech Crime Network
        FLETC - Federal Law Enforcement Training Center
        IACIS - International Association of Computer Investigative 
Specialists (www.cops.org)
        NWCCC - National White Collar Crime Center
        The ForensiX Consortium

Emailing Lists:
        forensixat_private (Law Enforecement only!) 
forensix-subscribeat_private

Other Web Resources:
        CERT (www.cert.org and www.cert.org/csirts)
        CFRDC - Computer Forensics Research Development Cetern (Utica 
College) (www.ecii.edu/cfrdc.html)
        CFTT - NIST Computer Forensics Tool Testing Project 
(www.cftt.nist.gov)
        CFTT - Yahoo group that is not affiliated with NIST (http://groups.yahoo.com/group/cftt)
        DETS - Digital Evidence Timestamping (www.wetstonetech.com)
        DoD Computer Forensics Lab (www.dcfl.gov)
        The Honeynet Project (http://project.honeynet.org)
        Justice Technology Information Network (www.nlectc.org)
        samspade.org
        US Air Force Research Lab (www.if.afrl.af.mil)
        www.incident-response.org (Robert Lee's site)
        www.washington.edu/People/dad (Dave Dittrich's site)
        www.porcupine.org (Wietse Venema's site)
        www.cs.auckland.ac.nz/~pgut001 (Peter Gutmann's site)
        http://brouk.psychol.utas.edu.au (Vlasti Broucek)
        http://vip.poly.edu/kulesh/forensics (Kulesh Shanmugasundaram's site)

Books:
        "Computer Forensics: Incident Response Essentials" by Kruse and 
Heiser, Addison-Wesley ISBN: 0201707195
        "Know Your Enemy: Revealing the Security Tools, Tactics, and 
Motives of the Blackhat Community" edited by Lance Spitzner, 
Addison-Wesley ISBN: 0201746131.
        "Handbook of Computer Crime Investigation: Forensic Tools & 
Technology" by Eoghan Casey, Academic Press ISBN: 0121631036.
        "Digital Evidence and Computer Crime" by Eoghan Casey, Academic 
Press, ISBN: 012162885X.
        "Cyber Forensics: A Field Manual for Collecting, Examining, and 
Preserving Evidence of Computer Crimes" by Marcella and Greenfield, 
Auerbach Publications, ISBN: 0849309557.
        "Computer Forensics: Computer Crime Scene Investigation" by John 
R. Vacca, Charles River Media, ISBN: 1584500182.
        "Computer Forensics and Privacy" by Michael Caloyannides, Artech 
House, ISBN: 1580532837.
        "Incident Response: Investigating Computer Crime" by Chris 
Prosise, Kevin Mandia, McGraw-Hill, ISBN: 0072131829.
        "Forensic Computing: A Practitioner's Guide" by Tony Sammes, et 
al, Springer Verlag, ISBN: 1852332999.
        "Information Assurance: Surviving the Information Environment" by 
Blyth and Kovacich, Springer Verlag, ISBN: 185233326X.





-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 07:29:03 PST